The key components of protective measures are to Detect, Delay and Respond to malicious
An organization or facility can detect malicious actions through:
Security sensors, for example entry and exit control, which may include x-Ray inspections,
searches, metal detectors, and so forth Personnel surveillance
Monitoring of operational process It is difficult to detect the insider’s
actions because, unlike an outsider, an insider might have the access and knowledge to bypass
many of the detection measures. As a result, the insider must be caught later in the attack
sequence while manipulating records or data to commit an attack.
Difficulty lies in the fact that an insider who is granted access to knowledge or a physical
location has the plausible deniability to say they are simply doing their job.
One method of combatting this is through implementation of the two-person rule. In monitoring a specific
area, this rule requires that at least two people are present to verify that all necessary
actions are conducted as authorized. Another method of detection is through tracking
the location of personnel within a facility, or through logging into the cyber systems.
This not only protects against malicious intent, but also is helpful information to trace events
if an attack were to occur. Delay
Delaying an attack can be done through personnel, procedures, or physical barriers. The goal
is to significantly increase the time it takes for an adversary to commit an attack.
Examples of such methods include: Physical barriers such as vaults and locks
Surveillance and physical escorts throughout facilities
Compartmentalization and complexity of tasks, including multi-step processes and separation
of duties among multiple individuals Special processes and operations, including
material access verification Emergency exit controls
False evacuation alarm prevention System safety designs which include redundant
equipment and automatic equipment shutdown Response
All employees must be trained to detect malicious behavior and respond accordingly. Many organizations
neglect this step because they believe that having a planned response is a sign of weakness
or lack of confidence in their security system or employees. The fact of the matter is that
no security system is accurate 100% of the time. If an entity does not plan for how to
respond after a successful attack is committed they are leaving themselves in the position
where the impact of a successful attack is not able to be mitigated.
It is important to remember, however, that any person involved in a response effort could
themselves be an insider using the response to mask their attack.
Mitigate or Minimize Consequences If the attack involves the loss of information,
the organization must identify the scope of the loss. If there is a chance their security
system is compromised, they must update and change their procedures.
An inventory should be conducted to identify the volume of theft if the target was physical
material. A report must then be made to the proper authorities if the material sensitive
or controlled, for example chemical or nuclear materials.
If a violent attack occurs, the organization must follow their predetermined emergency
response plan and repair any damage inflicted on the facility.